Skip to content

[shared] Modify OVAL check for accounts_passwords_pam_faillock_deny rule #381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mpreisler merged 2 commits into from
Jan 15, 2015
Merged

[shared] Modify OVAL check for accounts_passwords_pam_faillock_deny rule #381

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a806cad
[shared] Modify OVAL check for accounts_passwords_pam_faillock_deny rule
Jan 14, 2015
45792dd
[shared] accounts_passwords_pam_faillock_deny OVAL check:
Jan 14, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
162 changes: 113 additions & 49 deletions shared/oval/accounts_passwords_pam_faillock_deny.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<def-group>
<definition class="compliance" id="accounts_passwords_pam_faillock_deny" version="1">
<definition class="compliance" id="accounts_passwords_pam_faillock_deny" version="2">
<metadata>
<title>Lock out account after failed login attempts</title>
<affected family="unix">
Expand All @@ -8,80 +8,144 @@
<platform>Fedora 20</platform>
</affected>
<description>The number of allowed failed logins should be set correctly.</description>
<reference source="swells" ref_id="20131025" ref_url="test_attestation" />
<reference source="JL" ref_id="RHEL6_20150114" ref_url="test_attestation" />
<reference source="JL" ref_id="RHEL7_20150114" ref_url="test_attestation" />
<reference source="JL" ref_id="FEDORA20_20150114" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="pam_faillock.so authfail deny value set in system-auth" test_ref="test_accounts_passwords_pam_faillock_authfail_deny_system-auth" />
<criterion comment="pam_faillock.so authfail deny value set in password-auth" test_ref="test_accounts_passwords_pam_faillock_authfail_deny_password-auth" />
<criterion comment="pam_faillock.so authsucc deny value set in password-auth" test_ref="test_accounts_passwords_pam_faillock_authsucc_deny_system-auth" />
<criterion comment="pam_faillock.so authsucc deny value set in password-auth" test_ref="test_accounts_passwords_pam_faillock_authsucc_deny_password-auth" />

<criterion test_ref="test_accounts_passwords_pam_faillock_preauth_silent_system-auth"
comment="pam_faillock.so preauth silent set in system-auth" />
<criterion test_ref="test_accounts_passwords_pam_faillock_authfail_deny_system-auth"
comment="pam_faillock.so authfail deny value set in system-auth" />
<criterion test_ref="test_accounts_passwords_pam_faillock_account_phase_system-auth"
comment="pam_faillock.so set in account phase of system-auth" />
<criterion test_ref="test_accounts_passwords_pam_faillock_preauth_silent_password-auth"
comment="pam_faillock.so preauth silent set in password-auth" />
<criterion test_ref="test_accounts_passwords_pam_faillock_authfail_deny_password-auth"
comment="pam_faillock.so authfail deny value set in password-auth" />
<criterion test_ref="test_accounts_passwords_pam_faillock_account_phase_password-auth"
comment="pam_faillock.so set in account phase of password-auth" />

</criteria>
</definition>

<!-- check for authfail deny in system-auth -->
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" id="test_accounts_passwords_pam_faillock_authfail_deny_system-auth" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" />
<ind:state state_ref="state_accounts_passwords_pam_faillock_authfail_deny_system-auth" />
<!-- Specify required external variable & create corresponding state from it -->
<external_variable id="var_accounts_passwords_pam_faillock_deny" datatype="int"
comment="number of failed login attempts allowed" version="1" />

<ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value" version="1">
<ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" />
</ind:textfilecontent54_state>

<!-- Check for preauth silent in /etc/pam.d/system-auth -->
<!-- Also check the 'deny' option value matches the number of failed login attempts allowed -->
<ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_preauth_silent_system-auth"
check="all" check_existence="all_exist"
comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" />
<ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" version="1">
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+authfail.*deny=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<!-- check for authfail deny in password-auth -->
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/password-auth (authsucc)" id="test_accounts_passwords_pam_faillock_authfail_deny_password-auth" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" />
<ind:state state_ref="state_accounts_passwords_pam_faillock_authfail_deny_password-auth" />
<!-- Check for authfail deny in /etc/pam.d/system-auth -->
<ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_authfail_deny_system-auth"
check="all" check_existence="all_exist"
comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" />
<ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" version="1">
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<!-- check for authsucc deny in system-auth -->
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth (authsucc)" id="test_accounts_passwords_pam_faillock_authsucc_deny_system-auth" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_authsucc_deny_system-auth" />
<ind:state state_ref="state_accounts_passwords_pam_faillock_authsucc_deny_system-auth" />
<!-- Check for pam_faillock.so present in account phase of /etc/pam.d/system-auth -->
<ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_account_phase_system-auth"
check="all" check_existence="all_exist"
comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth" version="1" >
<ind:object object_ref="object_accounts_passwords_pam_faillock_account_phase_system-auth" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authsucc_deny_system-auth" version="1">
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_account_phase_system-auth" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+authsucc.*deny=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<!-- check for authsucc deny in password-auth -->
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/password-auth (authsucc)" id="test_accounts_passwords_pam_faillock_authsucc_deny_password-auth" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_authsucc_deny_password-auth" />
<ind:state state_ref="state_accounts_passwords_pam_faillock_authsucc_deny_password-auth" />
<!-- Check for preauth silent in /etc/pam.d/password-auth -->
<!-- Also check the 'deny' option value matches the number of failed login attempts allowed -->
<ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_preauth_silent_password-auth"
check="all" check_existence="all_exist"
comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" />
<ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authsucc_deny_password-auth" version="1">
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" version="1">
<!-- Read whole /etc/pam.d/password-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authsucc.*deny=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<!-- state placeholders -->
<ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_authfail_deny_system-auth" version="1">
<ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" />
</ind:textfilecontent54_state>
<!-- Check for authfail deny in /etc/pam.d/password-auth -->
<ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_authfail_deny_password-auth"
check="all" check_existence="all_exist"
comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" version="1">
<ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" />
<ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_authfail_deny_password-auth" version="1">
<ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" />
</ind:textfilecontent54_state>
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_authsucc_deny_system-auth" version="1">
<ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" />
</ind:textfilecontent54_state>
<!-- Check for pam_faillock.so present in account phase of /etc/pam.d/password-auth -->
<ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_account_phase_password-auth"
check="all" check_existence="all_exist"
comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth" version="1" >
<ind:object object_ref="object_accounts_passwords_pam_faillock_account_phase_password-auth" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_authsucc_deny_password-auth" version="1">
<ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" />
</ind:textfilecontent54_state>
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_account_phase_password-auth" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<external_variable comment="number of failed login attempts allowed" datatype="int" id="var_accounts_passwords_pam_faillock_deny" version="1" />
</def-group>